I’m under pressure to change to a more user friendly password manager from my favourite of many years KeePass, so I’m trialling LastPass as it seems to be in the top five of most reviews.
It concerns me that the default browser settings are pretty lax and leaves local security open to abuse and it makes me wonder it there are other things I should know about. Using the Windows 10 environment, not an issue in Android as it works through the app. Don't know about iOS.
By default, the LastPass browser extension allows the LastPass user to always be logged in and active when the browser is closed and then restarted.
Even if you shutdown and restart the computer, then LastPass is active and ready to go. Yes, I can change this to be more secure, but with limitations. And yes, this is only an issue if I leave my logged in computer unattended and a shifty character comes along, and yes I can log out of LastPass, but I cannot control others. But as a password manager shouldn’t it be more secure than this? I don’t really think this is a case of Tin Hats, this is supposed to be a secure password manager after all.
- There is no global control of this setting in the account settings, it needs to be changed in each browser extension. We only have 3 household computers, with an average of three browsers each, others will have more. Hmm.
- LastPass browser extensions options are not password protected (I don’t even know if this is possible), so even if you set the extension to logout of LastPass when you close the browser, Mr Shifty can all ways change this option if they happen to use your PC. You don’t even need to be logged into LastPass to change the extension settings.
- In the global account advanced settings, you can fine control when you are prompted for the master password, but invoking any of these mean you basically need to re-enter your master password all the time making things pretty unworkable. Fortunately, as far as I can see the master password is required to implement any of these changes – I see even versions from last year had this as an option, not mandatory.
- This has been around a while, e.g. post starting 2016 https://forums.lastpass.com/viewtopic.php?f=12&t=230475&hilit=browser+extension&start=10
As it stands, it could work in my environment, but given the above has little to offer over KeePass on the desktop. Can't say I'd recommend it to many of my friends.